[refpolicy] Transition unconfined users to dpkg_t domain

Dominick Grift dominick.grift at gmail.com
Thu Jan 9 11:12:52 EST 2014


On Thu, 2014-01-09 at 16:57 +0100, Laurent Bigonville wrote:

> rpm (and now dpkg since 1.17) are explicitly trying to run the
> maintainer scripts in a specific domain (see
> rpm_execcon()/setexecfilecon()).
> 
> So this means that an unconfined user trying to run dpkg in enforce
> mode will get an error (my laptop is running in permissive so I didn't
> saw that before) as context_type_set() will fail.
> 
> An idea how to fix this?

Nope, but i think this should be at least configurable. Heck, how does
dpkg know what type to use with setexeccon? Is that hard-coded? Is there
some configuration file somewhere that it reads that tells it what type
to use? if so then maybe you can also use that to tell it when to use it
and when not?




More information about the refpolicy mailing list